From a4f94bd55d6a732e63b75fa69ddbaa21778e6eb8 Mon Sep 17 00:00:00 2001 From: schererleander Date: Sat, 14 Mar 2026 21:31:02 +0100 Subject: refactor(secrets): move secrets to host-specific modules --- modules/hosts/sachiel/flake-parts.nix | 1 - modules/hosts/sachiel/secrets.nix | 28 ++++++++++------ modules/system/secrets.nix | 60 ----------------------------------- 3 files changed, 18 insertions(+), 71 deletions(-) delete mode 100644 modules/system/secrets.nix diff --git a/modules/hosts/sachiel/flake-parts.nix b/modules/hosts/sachiel/flake-parts.nix index e30a532..d2ce465 100644 --- a/modules/hosts/sachiel/flake-parts.nix +++ b/modules/hosts/sachiel/flake-parts.nix @@ -4,7 +4,6 @@ specialArgs = { inherit inputs; }; modules = [ inputs.self.modules.nixos.sachiel - inputs.self.modules.nixos.secrets inputs.self.modules.nixos.openssh inputs.self.modules.nixos.nginx inputs.self.modules.nixos.nextcloud diff --git a/modules/hosts/sachiel/secrets.nix b/modules/hosts/sachiel/secrets.nix index c0968fd..c301477 100644 --- a/modules/hosts/sachiel/secrets.nix +++ b/modules/hosts/sachiel/secrets.nix @@ -7,6 +7,10 @@ defaultSopsFile = inputs.self + /secrets/secrets.yaml; age.keyFile = "/etc/sops/age_key"; secrets = { + "borgbase_ssh_key" = { + owner = "root"; + mode = "0600"; + }; "nextcloud-secrets" = { owner = "nextcloud"; group = "nextcloud"; @@ -16,7 +20,20 @@ owner = "root"; mode = "0600"; }; - # SSL certificates + "borg_git_repo" = { + owner = "root"; + mode = "0600"; + }; + "borg_nextcloud_repo" = { + owner = "root"; + mode = "0600"; + }; + "ssh_git_pubkey" = { + owner = "git"; + group = "git"; + mode = "0400"; + path = "/var/lib/git-server/.ssh/authorized_keys"; + }; "cert_fullchain" = { owner = "nginx"; group = "nginx"; @@ -25,15 +42,6 @@ owner = "nginx"; group = "nginx"; }; - # Backup configuration - "borgbase_ssh_key" = { - owner = "root"; - mode = "0600"; - }; - "borg_repo" = { - owner = "root"; - mode = "0600"; - }; }; }; }; diff --git a/modules/system/secrets.nix b/modules/system/secrets.nix deleted file mode 100644 index 2a42fe7..0000000 --- a/modules/system/secrets.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - flake.modules.nixos.secrets = - { inputs, ... }: - { - imports = [ inputs.sops-nix.nixosModules.sops ]; - sops = { - defaultSopsFile = inputs.self + /secrets/secrets.yaml; - age.keyFile = "/etc/sops/age_key"; - secrets = { - "borgbase_ssh_key" = { - owner = "root"; - mode = "0600"; - }; - "nextcloud-secrets" = { - owner = "nextcloud"; - group = "nextcloud"; - mode = "0400"; - }; - "nextcloud-admin-pass" = { - owner = "root"; - mode = "0600"; - }; - "ssh_github_key" = { - owner = "administrator"; - mode = "0600"; - }; - "ssh_jonsbo_key" = { - owner = "administrator"; - mode = "0600"; - }; - "ssh_sachiel_key" = { - owner = "administrator"; - mode = "0600"; - }; - "borg_git_repo" = { - owner = "root"; - mode = "0600"; - }; - "borg_nextcloud_repo" = { - owner = "root"; - mode = "0600"; - }; - "ssh_git_pubkey" = { - owner = "git"; - group = "git"; - mode = "0400"; - path = "/var/lib/git-server/.ssh/authorized_keys"; - }; - "cert_fullchain" = { - owner = "nginx"; - group = "nginx"; - }; - "cert_private" = { - owner = "nginx"; - group = "nginx"; - }; - }; - }; - }; -} -- cgit v1.3.1